How Power over Ethernet (PoE) Works: 802.3af/at/bt Explained

Power over Ethernet (PoE) is a set of IEEE standards that allow electrical power to be delivered alongside data over standard Ethernet copper cabling. Instead of running separate power cables to every access point, IP camera, VoIP phone, and IoT sensor in a building, PoE lets a single Cat5e or Cat6 cable carry both the network connection and the power supply. The technology has evolved through four generations -- 802.3af, 802.3at, 802.3bt Type 3, and 802.3bt Type 4 -- increasing the available power from 15.4 watts to nearly 100 watts per port.

PoE is foundational to modern network infrastructure. It simplifies deployment (no electrician needed at each device location), enables centralized power management (UPS at the switch protects all connected devices), and makes it practical to install network equipment in locations where AC power outlets do not exist -- ceilings, outdoor poles, elevator shafts, and factory floors. Understanding how PoE works requires knowledge of the electrical characteristics of Ethernet cabling, the negotiation protocols between power-sourcing equipment and powered devices, and the practical constraints of power budgeting across a switch.

Fundamentals: PSE and PD

Every PoE system has two components:

• Power Sourcing Equipment (PSE) -- The device that provides power. This is typically a PoE-capable Ethernet switch (an "endpoint PSE") or a midspan injector (a device placed between a non-PoE switch and the powered device). The PSE sources DC power onto the Ethernet cable's copper pairs.
• Powered Device (PD) -- The device that consumes power. Examples include wireless access points, IP cameras, VoIP phones, door access controllers, LED lighting fixtures, thin clients, and IoT sensors. The PD extracts DC power from the cable and uses it to operate without a separate power supply.

Before applying power, the PSE must determine whether the device at the other end of the cable is a legitimate PD (and not a non-PoE device like a laptop that would be damaged by unexpected voltage on the data pins). This detection and classification process is a critical safety mechanism.

PoE Standards Evolution

The gap between PSE output power and PD available power is due to resistive losses in the cable. A 100-meter Cat5e run has approximately 12.5 ohms of loop resistance per pair, and at the currents involved in PoE, the I2R losses are significant. This is why PoE standards specify both the PSE output and the guaranteed minimum at the PD end.

How Power Is Delivered Over Ethernet Cables

An Ethernet cable (Cat5e or better) contains four twisted pairs of copper wire, for a total of eight conductors. In 10/100 Mbps Ethernet (10BASE-T, 100BASE-TX), only two pairs are used for data -- pairs on pins 1-2 and 3-6. The other two pairs (pins 4-5 and 7-8) are spare. In Gigabit Ethernet (1000BASE-T) and above, all four pairs carry data.

PoE can deliver power in two ways, called "modes" or "alternatives":

Alternative A: Power on Data Pairs

Power is applied as a common-mode voltage on the same pairs that carry data (pins 1-2 and 3-6). This works because Ethernet data signals are differential: the data is encoded as the voltage difference between the two wires in a pair, and any voltage that appears equally on both wires (common-mode) is ignored by the Ethernet transceiver. The PSE applies +48V DC on one data pair's center tap and return on the other pair's center tap. The magnetic isolation transformers in the Ethernet port separate the DC power from the AC data signal.

Alternative A is the mandatory mode for endpoint PSEs (PoE switches) under 802.3af and 802.3at. It allows PoE to work even with only two connected pairs, making it compatible with legacy Cat3 wiring that only has two pairs.

Alternative B: Power on Spare Pairs

Power is applied on the two spare pairs (pins 4-5 and 7-8) that are not used for data in 10/100 Mbps Ethernet. One pair carries the positive voltage, the other carries the return. This mode does not interfere with data at all, since the power and data travel on physically separate conductors.

Alternative B is the mandatory mode for midspan injectors (since they cannot access the data pairs' center taps without being inline with the Ethernet transceivers). For 802.3bt (Type 3 and Type 4), both alternatives are used simultaneously -- power is delivered on all four pairs to achieve the higher wattage levels.

Detection: Is This a PoE Device?

The most critical safety feature in PoE is the detection phase. A PSE must never apply 48-57V DC to a port unless it has confirmed that a compliant PD is connected. Applying power to a non-PoE device -- a laptop's Ethernet port, a printer, or a bare cable -- could damage the device's Ethernet transceiver or create a safety hazard.

Detection works by applying a small test voltage (2.8-10V) to the cable and measuring the current that flows. A compliant PD contains a 25 kohm "signature resistor" between its power input pins. The PSE applies at least two voltage levels and measures the resulting current. If the I-V relationship matches a 25 kohm resistance (within tolerance), the PSE knows a valid PD is connected. If the resistance is too low (a short circuit or a non-PoE device), too high (an open circuit or no device), or non-linear (a capacitive load like some legacy equipment), the PSE does not apply power.

The detection voltage is low enough that it cannot damage non-PoE equipment. Even if a device does not have the 25 kohm signature resistor, the 2.8-10V test signal is within the common-mode tolerance of standard Ethernet transceivers.

Classification: How Much Power Does It Need?

After detection confirms a valid PD, the PSE performs classification to determine how much power the PD requires. During classification, the PSE applies a voltage between 14.5V and 20.5V, and the PD draws a specific current to indicate its power class:

Class   PD Current     Max PD Power     Typical Use Case
  0     0-4 mA         12.95 W          Default (full 802.3af budget)
  1     9-12 mA        3.84 W           VoIP phones
  2     17-20 mA       6.49 W           IP cameras (basic)
  3     26-30 mA       12.95 W          Wireless APs, PTZ cameras
  4     36-44 mA       25.50 W          High-power APs (802.3at)
  5     (via LLDP)     40.0 W           802.3bt Type 3
  6     (via LLDP)     51.0 W           802.3bt Type 3
  7     (via LLDP)     62.0 W           802.3bt Type 4
  8     (via LLDP)     71.3 W           802.3bt Type 4

Classes 0-4 use the physical-layer current-based classification described above. Classes 5-8 (introduced in 802.3bt) require LLDP (Link Layer Discovery Protocol) negotiation after the link is established, because the physical classification mechanism cannot distinguish classes beyond 4.

Power Negotiation via LLDP

LLDP-MED (Media Endpoint Discovery) and the 802.3bt power negotiation extensions allow the PSE and PD to exchange detailed power information over the data link after the Ethernet connection is established. This provides capabilities that physical-layer classification alone cannot:

• Fine-grained power requests -- Instead of discrete classes, the PD can request a specific wattage (e.g., 18.3W) and the PSE can grant exactly that amount or offer a lower allocation.
• Dynamic power adjustment -- The PD can request more or less power as its needs change (e.g., a PTZ camera drawing more power when its heater activates in cold weather).
• Priority assignment -- The PSE can assign power priorities (critical, high, low) to each port. When the total power budget is exceeded, low-priority ports are shed first.
• Autoclass -- Introduced in 802.3bt, the PSE measures the PD's actual power consumption during a brief measurement window and allocates only what the PD actually needs, rather than the maximum for its class. This dramatically improves power budget utilization.

Cisco devices also support CDP (Cisco Discovery Protocol) for PoE negotiation, which predates the LLDP-based standards. In mixed-vendor environments, LLDP is the interoperable choice, but Cisco-to-Cisco deployments often use CDP for richer negotiation features.

Endpoint PSE vs Midspan Injectors

Power can be sourced from two types of equipment:

Endpoint PSE (PoE Switch)

An endpoint PSE is an Ethernet switch with integrated PoE power supplies. Each port has a PSE controller that performs detection, classification, and power management. The switch's internal power supply must be sized to handle the aggregate PoE load across all ports. A 48-port 802.3bt Type 4 switch could theoretically need to supply up to 48 x 99.9W = 4,795W of PoE power, though in practice, most deployments use a fraction of this due to power budgeting and the fact that most PDs draw far less than the maximum.

Endpoint PSEs can use either Alternative A or Alternative B for power delivery. They have direct access to the data pairs' magnetic transformers, so they can inject power on the center taps of the data pairs (Alternative A) or on the spare pairs (Alternative B) or both (802.3bt).

Midspan Injector

A midspan injector is a standalone device that sits between a non-PoE switch and the PDs. It has two Ethernet ports per channel: one connects to the switch (data in) and one connects to the PD (data + power out). The midspan passes data through transparently while injecting power onto the spare pairs (Alternative B only). Midspan injectors cannot use Alternative A because they do not have access to the data pairs' center taps -- they would need to break the data path and add isolation transformers, which is impractical.

Midspan injectors are useful when upgrading an existing non-PoE network: you keep your current switch and add a midspan in the wiring closet to provide PoE to new devices. They are also used in scenarios where a higher-power PoE standard is needed than the switch supports (e.g., adding 802.3bt to a network with 802.3af switches).

Power Budgeting

One of the most common operational challenges with PoE is power budgeting -- ensuring that the total power demanded by all PDs does not exceed the PSE's power supply capacity. A 48-port PoE switch does not necessarily have enough internal power to run all 48 ports at maximum power simultaneously.

Consider a typical enterprise access switch: a Cisco Catalyst 9300-48P has a PoE budget of 740W. If all 48 ports connect 802.3at (30W) devices, the total demand would be 1,440W -- nearly double the budget. The switch must either deny power to some ports or negotiate lower power allocations.

Network administrators manage PoE budgets through several mechanisms:

• Port priority -- Critical infrastructure (access points, door controllers) is assigned high priority. When the budget is exhausted, the switch denies power to low-priority ports first.
• Power policing -- The PSE monitors actual power draw on each port and can shut down ports that exceed their allocated wattage (which might indicate a fault).
• Fast PoE / Perpetual PoE -- Some switches support powering devices immediately on boot, before the switch OS is fully loaded. This is critical for always-on devices like door controllers and IP phones that should not lose power during switch reboots.
• Redundant power supplies -- Enterprise switches support dual power supplies, allowing the PoE budget to be maintained if one supply fails. The budget may be reduced to what a single supply can provide (N+1 redundancy), or the full budget may require both supplies (2N configuration).

Cable Length and Power Loss

PoE is specified for cable runs up to 100 meters, the same maximum as Ethernet data. However, power loss increases linearly with cable length due to the DC resistance of the copper conductors. A Cat5e cable has a maximum DC loop resistance of about 12.5 ohms per pair for a 100-meter run. With 802.3af delivering 350 mA per pair, the I2R loss is approximately:

P_loss = I^2 x R = (0.350)^2 x 12.5 = 1.53 W per pair
Total loss (2 pairs) = ~3.06 W

With 802.3bt Type 4 at ~600 mA per pair (4 pairs):
P_loss per pair = (0.600)^2 x 12.5 = 4.50 W
Total loss (4 pairs) = ~18 W

This is why the PD available power is significantly less than the PSE output power, and why cable quality matters for high-power PoE. Cat6A cable has lower DC resistance than Cat5e (approximately 7 ohms per 100m pair), reducing losses. For 802.3bt deployments, Cat6A is strongly recommended.

For runs shorter than 100 meters, the losses are proportionally lower. A 30-meter cable run loses only about 30% of the power lost by a 100-meter run, which means more power is available at the PD.

Disconnection and Safety

PoE includes multiple safety mechanisms to prevent hazards:

• Maintain Power Signature (MPS) -- The PD must continuously draw a minimum current (10 mA for 802.3af) or apply a valid AC impedance. If the PSE detects that the PD has stopped drawing current (indicating a disconnect or device failure), it removes power from the port within 300-400 ms. This prevents energized cables from dangling free with 57V on them.
• Overcurrent protection -- The PSE monitors each port's current draw and will disconnect a port that exceeds the allocated maximum, protecting against short circuits or faults.
• Inrush current limiting -- When power is first applied, the PD's input capacitors would draw a large surge current. The PD's PoE controller limits this inrush to prevent tripping the PSE's overcurrent protection.
• Thermal protection -- Both PSE and PD controllers include thermal monitoring. If a port or connector overheats (often due to a poor connection or damaged cable), the PSE can reduce or remove power.

PoE for Network Infrastructure

PoE has become the standard power delivery method for several categories of network infrastructure devices:

• Wireless Access Points -- Nearly all enterprise APs are PoE-powered, from simple 802.3af single-radio units to high-end WiFi 6E/7 APs requiring 802.3at or 802.3bt for their multiple radios, additional antennas, and embedded IoT radios (BLE, Zigbee).
• IP Cameras -- Fixed cameras typically need 12-15W (802.3af Class 3), while PTZ cameras with heaters and IR illuminators may require 60-90W (802.3bt Type 3/4).
• VoIP Phones -- Low-power devices (3-7W) that are one of the original PoE use cases. PoE eliminates the need for phone power adapters and enables centralized UPS protection so phones keep working during power outages.
• IoT Sensors and Controllers -- Building automation controllers, environmental sensors, and smart lighting systems increasingly use PoE for both power and connectivity.
• Digital Signage and Thin Clients -- 802.3bt enables powering displays and compute devices that previously required AC power, simplifying installation in conference rooms and public spaces.

PoE and Network Design

PoE affects network design in ways that go beyond simply adding power to cables. When every access point, camera, and phone depends on the switch for both connectivity and power, the switch becomes a single point of failure for a much larger portion of the infrastructure. Key design considerations include:

• UPS sizing -- The PoE power budget must be included when sizing the UPS for the wiring closet. A switch with a 740W PoE budget may draw 900W total from the wall (including the switch's own power consumption), requiring a significantly larger UPS than a non-PoE switch.
• Cooling -- PoE switches generate more heat than non-PoE switches. Wiring closet cooling must account for the additional thermal load, which can be substantial with high-density 802.3bt deployments.
• Cable quality audit -- Existing cable plant installed for 100 Mbps may have been terminated with lower-quality connectors or may have individual conductor breaks on the "spare" pairs (4-5, 7-8) that were never tested. Before deploying PoE, a cable certification test should verify all four pairs meet the resistance and crosstalk specifications.
• Structured cabling standards -- TIA-568 and ISO/IEC 11801 have been updated to address PoE thermal concerns. When cables are bundled together in conduit, the heat generated by PoE current can cause temperature rise, potentially exceeding cable temperature ratings and degrading data performance. Standards now specify derating factors for bundled cable runs carrying PoE.

Try It Yourself

The network switches, access points, and cameras powered by PoE all connect to the internet through Ethernet links that carry IP traffic routed by BGP. Use the god.ad BGP Looking Glass to trace the routes from your network to any destination on the internet and explore the infrastructure that connects PoE-powered devices to the global routing table.